Data Protection reforms - long overdue - are stuck in the European Council
To mark international Data Privacy Day, Emily Taylor reflects on the faltering progress of European Commission Cyber Law reforms.
(UPDATED with input from Amelia Andersdotter, MEP.)
EU Commissioner Viviane Reding accuses Member States of “stalling” cyber law reform. Meanwhile, a survey reveals business concerns over data privacy in the wake of the NSA mass surveillance scandal. What’s going on?
According to a survey of 300 UK and Canadian businesses by British hosting company Peer 1, 25% say that the NSA scandal had a big impact on their decision to stop using US hosting services. Over 80% say they are likely to switch to providers headquartered in their own country within 5 years.
The Snowden revelations demonstrate that whatever we thought our cyber laws were doing to protect our privacy, we were mistaken. Cyber law reform is needed to bring the law up to date, so why is it that, in the words of Robin Wilton, the Internet Society’s Technical Outreach Director – Identity and Privacy, “the proposals appear to be comprehensively stalled”?
Amelia Andersdotter, MEP for Sweden’s Pirate Party explains;
“The reform is going slowly because it’s about redistribution of power. Data protection laws put more power in the hands of individuals, and less power in the hands of entities which interact with individuals, both member states and large American companies”.
It’s never good to reform legislation as a knee jerk reaction to a scandal or media pressure (think, Dangerous Dogs Act), but there are many other reasons why cyber law (Data Protection, Privacy, ..) reform is due, or overdue.
Less than 1% of the EU population was online in 1995 when our current Data Protection laws were enacted. By 2012, an estimated 73% of Europeans had become Internet users, and nearly 40% were Facebook subscribers. Despite incremental changes over the years, cyber law has fallen behind reality: the economic value of people’s data exhaust, “big data” mining techniques, and the boggling array of sensitive information that individuals share daily.
Meanwhile, according to a study done for the EU Commission before the NSA scandal hit the newswires, Europeans were expressing high levels of concern about cyber security, including that their online personal information is not kept secure by websites or public authorities. How right they were!
Scholars have highlighted the uneven implementation of data protection laws across Member States, as demonstrated by diverse responses to Google Street View. A growing realisation that (in the prescient words of German business daily, Hansblatt) ‘Google knows more about you and me than the KGB, Stasi or Gestapo ever dreamed of‘, has motivated a policy debate on how to give citizens control over their online information.
‘Google knows more about you and me than the KGB, Stasi or Gestapo ever dreamed of’
Everyone knows that the US doesn’t have cyber laws to protect privacy, right? However, as citizens’ concerns over privacy have grown, US authorities have imposed whopping fines on Internet giants for breaking promises about the way they handle personal data. Meanwhile, national data protection authorities in the EU have only had the power to impose slaps on the wrist (or “pocket money” in the words of Viviane Reding) for similar behaviour. This highlights the need for cyber laws to have more meaningful sanctions to protect privacy.
For more than a decade, cyber law and policy discussions have tried unsuccessfully to balance the competing, legitimate interests in online users being able to have a degree of privacy (or even anonymity) versus the need for law enforcement to identify cyber-criminals. These tensions are often played out in the data protection discourse.
The Commission initially greeted the advent of cloud computing with excitement about the economic opportunities it might offer for EU businesses. However, the Snowden revelations indicate that the cloud also challenges existing cyber law on cross border data transfers, and creates tempting data honeypots for the security services, which the current legal framework has been powerless to prevent. According to Robin Wilton;
“At the citizen level, it is clear that our faith in phrases like ‘necessary and proportionate’…was misplaced”.
Proposals for cyber law reform – a Draft Data Protection Directive, and Draft Directive on Police and Judicial Powers – were originally published at the beginning of 2012, before anyone had ever heard of Edward Snowden.
The proposals include “right to be forgotten”, aimed at disclosure of personal data through social networks (those drunken photos that come back to haunt us at job interviews). They also encourage “privacy by design” in new software applications, baking in data protection at the level of code.
Other measures include extending data protection for EU citizens no matter where their data is processed, including the United States.
Robin Wilton takes up the narrative, “When you look at the reported areas of contention, it’s no surprise that they are all the hard problems: How to define/regulate/achieve pseudonymity/anonymity? Is auditable, enforceable deletion of personal data actually possible? How to achieve cross-border accountability for processing of personal data”.
As well as the well-worn policy issues, recent revelations of mass surveillance “have forced a fundamental re-evaluation of existing political assumptions, including safe harbour, passenger name records and so on”, according to Wilton.
It’s not just the policy that is difficult. There are massive economic interests at play. According to Pirate Party MEP Amelia Andersdotter, speaking at November’s Internetdagarna “Google has sponsored 6 organisations to lobby me against Data Protection reform”. Google’s aggressive (almost threatening) lobbying lines were apparent in the same session, “Europe needs to be careful. EU Digital sovereignty will create trade barriers”, “The EU is unable to solve its differences with the US, so it goes after companies” (David Mothander, Nordic Policy Council, Google).
“Google has sponsored 6 organisations to lobby me against Data Protection reform”
Amelia Andersdotter, MEP
While cyber law reforms on data protection are stuck in Council, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) published a draft report on the US NSA surveillance programme and its impact on EU citizens. Well worth a read, the report notes that “international treaties and EU and US legislation, as well as national oversight mechanisms, have failed to provide for the necessary checks and balances and for democratic accountability”. It states that “these mass surveillance activities appear also to entail illegal actions by intelligence services”, and offers a bleak conclusion for EU public institutions and citizens “there is no guarantee…that their IT security or privacy can be protected from intrusion”.
“there is no guarantee…that [(EU Citizens’) IT security or privacy can be protected from intrusion”
EU Parliament LIBE Committee
Proposing a “Digital Habeas Corpus”, the draft report calls on Member States to “show a sense of leadership and responsibility and accelerate their work on the whole Data Protection Package in 2014”. It also calls for an immediate suspension of Safe Harbour.
Despite the current impasse, both pressure from Commissioner Reding and the LIBE Committee may yet win the day. There are no ready come backs to the stark question “In which society do we want to live?”, posed in the LIBE draft report.
Despite the findings of Peer1’s survey of business, and the stated intentions of businesses to move their data back onshore, the reality is that it’s not going to be easy or cheap. US companies dominate in the provision of online and cloud services, the topology of the Internet means that most Internet traffic either passes through the US, or is subject to the extra territorial reach of US cyber law (like the Patriot Act and FISA).
It would be reassuring to think that European citizens’ political representatives would stand up and show leadership in the face of flagrant breaches of privacy laws and push through needed cyber law reforms to cope with the reality of today’s online life. Andersdotter believes that EU leaders “will see the wisdom in pursuing democratic values and European cooperation with a vision for peace through trade.”
But, as well as difficult policy questions, there are powerful economic vested interests at play.
Viviane Reding believes that strong data protection will be a selling point, a competitive advantage: “trust is bankable”. Maybe, but behavioural advertising has proven pretty bankable too.
Emily Taylor is the CEO of Oxford Information Labs. She is an Associate Fellow of Chatham House and is the Editor of the Journal of Cyber Policy and co-founder of ICANN accredited registrar, Oxford Information Labs.
Published: , 1396 Words.